← back
CVE-2026-10721

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components

CVSS 8.4 HIGHEPSS 0.1%CWE-502
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Concrete CMS · Concrete CMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://documentation.concretecms.org/9-x/developers/introduction/version-history/952-release-notes